Offer lightweight cryptographic alternatives for constrained environments

[jvz]

As currently being standardized by the NIST LWC project, there are some very promising algorithms proposed, particularly ones that use a sponge function as popularized by FIPS 202/SHA-3/Keccak. These sponge functions offer extremely versatile cryptographic primitives as demonstrated by libhydrogen and its use of the Gimli permutation.

Based on the ECRYPT benchmarks for the NIST LWC submissions, I propose supporting the top three permutations along with their higher level primitives (AEAD/MAC, MD, PRF, KDF):

• Ascon - winner of the CAESER competition, current contestant in LWC
• Gimli - interesting sponge with support for hardware as constrained as 8-bit microcontrollers
• Xoodoo - taking the state shape formed in Gimli, this can be used in the Xoodyak scheme; note the project XKCP which has reference and optimized implementations of Xoodoo (and Keccak)

As these permutations and cryptographic schema are all fairly new, there doesn't seem to be much in the way of Java libraries supporting them already. Ascon has a Java reference implementation, but in order to support the algorithms, the C reference implementations should be ported to Java (along with fixing any non-constant-time checks in the reference implementations; the sample code seems to usually be lazy about this). At the very least, pure Java implementations should be offered. Linking to optimized C variants may be considered for alternatives, though it's also possible that there may be too much overhead from JNI.

[jvz]

JMH tests might be nice, too, since the NIST test vectors are all relatively small. The unit tests running the vectors seem to execute in about 0.1 seconds for all three algorithms so far, but that may easily change after warmup.